A quick recap on NotPetya — unofficial CliffsNotes guide

Jun 28 2017

Post by: Cybereason Intelligence Team

The NotPetya ransomware infected more than 80 companies on Tuesday, affecting computers of a Russian oil company and shipping giant A.P. Moller-Maersk. Ukraine organizations were hit particularly hard with a grocery store chain, a major telecommunications company and several banks all reporting infections.

Here’s a recap on NotPetya from Cybereason Intelligence Team. See previous post for additional information on action steps we recommend for prevention and mitigation.

What does NotPetya do?

NotPetya overwrites the Master Boot Record of the System with a malicious payload. It attempts to force a “Hard Error” within Windows to reboot the system. If that fails it also creates a task on the Windows system to initiate a reboot after a set delay. Upon reboot, the code inserted into the MBR executes and encrypts user files on the system. It creates a scheduled task on the infected system prior to reboot that will re-encrypt the system if it is recovered through other means. The “ransom” message is displayed to the user telling them how to pay for a recovery key. The email address for the recovery key is no longer available which makes recovery via ransom payment impossible.

How does it spread?

Like the WannaCry attack, it also uses the the MS017-010 vulnerability exploit) also known as “EternalBlue”) to spread. In addition, it harvests credentials from the infected machine and uses other techniques like PSEXEC and/or Windows Management Instrumentation (WMI) to move laterally throughout a network and infect other machines.

Unlike WannaCry, this attack didn’t use EternalBlue to spread external. Instead, the vulnerability was only used to spread internally in networks, helping contain the attack.

MeDoc, a Ukraine financial company that makes accounting software, has been theorized to be the source of the infection. Allegedly, attackers breached the company and compromised a software update. The company has around 400,000 customers, providing the adversary with sizeable pool of victims. One strike against this theory: some of the organizations that were infected are not MeDoc customers. None of this has been confirmed and, at this time, is just a theory.

What’s unique about NotPetya?

NotPetya encrypts files only after the machine is rebooted – unlike most ransomware that encrypts files as soon as it executes. NotPetya spreads throughout the network, extracts admin credentials, and schedules a task to reboot the machine. As soon as a victim reboots their machine, NotPetya overwrites the Master Boot Record (MBR) with a malicious payload that encrypts the full disk. It kills itself prior to infection if the en_US keyboard layout is the only keyboard layout installed

What seems to be the goal(s) of this campaign?

At this time, making money doesn’t seem to be the main goal. Whoever is behind this attack was not looking to cash in. The email address that the attackers set up to communicate with victims was inoperable a few hours after the attack gained momentum. As of Wednesday afternoon, the bitcoin wallet associated with the attack recorded 42 bitcoin transactions totaling around $10,000. That’s not exactly a windfall and doesn’t nearly cover the expenses it took to conduct the attack.

Causing as much disruption as possible was the attack’s likely goal. On that front, the attack succeeded: offices closed, people were unableto buy food at supermarkets and employees were told not to use their computers.

The Cybereason Team is actively investigating and we’ll continue to update and share information.